registry  /  @moonmath-ai/zro  /  0.1.2

@moonmath-ai/zro@0.1.2

Launch coding tools with the Zro OpenAI-compatible endpoint.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are explicit CLI behavior for launching supported AI tools through the Zro endpoint, not install-time or import-time execution.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs zro login or zro launch <tool>
Impact
Configures selected tools to use Zro API credentials and endpoint; no evidence of credential harvesting or exfiltration beyond intended tool environment/config.
Mechanism
User-invoked tool launcher and provider config generator
Rationale
Static inspection shows a user-invoked CLI that stores/uses Zro credentials and launches named AI tools with package-aligned provider configuration. There are no lifecycle hooks, covert network calls, unconsented AI-agent control-surface mutations, or credential exfiltration paths in the inspected source.
Evidence
package.jsondist/cli.jsdist/run.jsdist/key.jsdist/constants.jsdist/tools/codex.jsdist/tools/claude.jsdist/tools/hermes.jsdist/tools/openclaw.jsdist/tools/opencode.jsdist/files.js~/.config/zro/credentials.json/tmp/zro-launch-<pid>-<time>/...~/.config/zro/codex-app/config.toml~/.config/zro/codex-app/.env~/.config/zro/codex-app/zro-models.json
Network endpoints3
inference.moonmath.aiinference.moonmath.ai/v1opencode.ai/config.json

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/run.js spawns external tools and writes launch/config files when user runs zro launch
  • dist/tools/codex.js persists Codex App config and .env under ~/.config/zro/codex-app for codex-app mode
  • dist/key.js stores ZRO_API_KEY in ~/.config/zro/credentials.json on explicit zro login
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook executed on install
  • dist/cli.js only calls run() for explicit CLI invocation
  • dist/constants.js endpoint is package-aligned: https://inference.moonmath.ai/v1
  • dist/run.js redacts key-like env values in --print output and removes temp launch files after spawn
  • dist/tools/hermes.js/openclaw.js/opencode.js read existing user config but write modified copies under temp HOME/XDG_CONFIG_HOME
  • rg found no fetch/http client, eval, Function, dynamic require, or native/binary loading
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 15 file(s), 37.7 KB of source, external domains: inference.moonmath.ai, opencode.ai

Source & flagged code

1 flagged · loading source
dist/run.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @moonmath-ai/zro@0.1.0 matchedIdentity = npm:QG1vb25tYXRoLWFpL3pybw:0.1.0 similarity = 0.786 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/run.jsView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/run.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License